From a83fcc40d0d86e70ca7f7f6b68ab714a868bf2e0 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Thu, 8 Oct 2015 11:43:59 -0400
Subject: [PATCH] queue: Impose staff visibility constraints

---
 include/class.search.php                      |  9 +++++++
 .../staff/templates/queue-tickets.tmpl.php    | 26 +++++++++++++++++--
 scp/tickets.php                               |  1 -
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/include/class.search.php b/include/class.search.php
index 141f5a0fe..70da8d0fa 100644
--- a/include/class.search.php
+++ b/include/class.search.php
@@ -1107,6 +1107,15 @@ class SavedSearch extends VerySimpleModel {
             || $this->hasFlag(self::FLAG_PUBLIC);
     }
 
+    function ignoreVisibilityConstraints() {
+        global $thisstaff;
+
+        // For saved searches (not queues), staff can have a permission to
+        // see all records
+        return !$this->hasFlag(self::FLAG_QUEUE)
+            && $thisstaff->hasPerm(SearchBackend::PERM_EVERYTHING);
+    }
+
     protected function hasFlag($flag) {
         return $this->flags & $flag !== 0;
     }
diff --git a/include/staff/templates/queue-tickets.tmpl.php b/include/staff/templates/queue-tickets.tmpl.php
index 373c0a1b5..57a136b88 100644
--- a/include/staff/templates/queue-tickets.tmpl.php
+++ b/include/staff/templates/queue-tickets.tmpl.php
@@ -2,12 +2,34 @@
 // Calling convention (assumed global scope):
 // $tickets - <QuerySet> with all columns and annotations necessary to
 //      render the full page
-// $count - <int> number of records matching the search / filter part of the
-//      query
+
+// For searches, some staff members may be able to see everything
+$view_all_tickets = $queue->ignoreVisibilityConstraints();
+
+// Impose visibility constraints
+// ------------------------------------------------------------
+if (!$view_all_tickets) {
+    // -- Open and assigned to me
+    $assigned = Q::any(array(
+        'staff_id' => $thisstaff->getId(),
+    ));
+    // -- Open and assigned to a team of mine
+    if ($teams = array_filter($thisstaff->getTeams()))
+        $assigned->add(array('team_id__in' => $teams));
+
+    $visibility = Q::any(new Q(array('status__state'=>'open', $assigned)));
+
+    // -- Routed to a department of mine
+    if (!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
+        $visibility->add(array('dept_id__in' => $depts));
+
+    $tickets->filter($visibility);
+}
 
 $page = ($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
 $pageNav = new Pagenate($count, $page, PAGE_LIMIT);
 $pageNav->setURL('tickets.php', $args);
+$count = count($tickets);
 $tickets = $pageNav->paginate($tickets);
 
 // Make sure the cdata materialized view is available
diff --git a/scp/tickets.php b/scp/tickets.php
index 813bec08a..d367ac6ec 100644
--- a/scp/tickets.php
+++ b/scp/tickets.php
@@ -459,7 +459,6 @@ if($ticket) {
         $inc = 'templates/queue-tickets.tmpl.php';
         $quick_filter = @$_REQUEST['filter'];
         $tickets = $queue->getQuery(false, $quick_filter);
-        $count = count($tickets);
     }
 
     //Clear active submenu on search with no status
-- 
GitLab